"We believe that they had plans to finish [the function] at some point," said Ryan Olson, director of threat intelligence, Unit 42, Palo Alto's name for its research lab. "But they went live a little earlier than they expected."

Palo Alto Networks' researchers Claud Xiao and Jin Chen identified KeRanger early Friday, just hours after it reached the wild, and finished their analysis Saturday. On Friday afternoon, they reached out to Apple to alert the Cupertino, Calif. company of their findings. By Sunday, Apple had revoked the digital certificate used to sign the malware, and Transmission, the company whose free Mac BitTorrent client had been used to distribute the attack code, had removed the tainted version and issued an update to scrub the ransomware.

Because KeRanger contained a three-day, hard-coded delay before executing, the quick work by Palo Alto, Apple and Transmission meant that few if any Mac users had their files locked up, and so did not have to hope they had backups or the $400 to pay the extortionists.

But the criminals were more ambitious than most: They planned to create code that would have encrypted not only more than 300 file types stored on a Mac's internal hard drive, but also on any Time Machine backups.

Time Machine is the backup software baked into OS X. Although Time Machine works with any external drive, Apple sells its own Time Capsule backup devices. Because Time Machine is essentially fire-and-forget once enabled, it's a very popular choice for Mac owners for backing up the contents of their desktop and notebook computers' storage drives.

Ransomware is a very profitable criminal activity, said Thomas Reed, director of Mac offerings at Malwarebytes. "It's the biggest money maker," Reed asserted, of the many ways criminals try to monetize their malware.

The category has victimized computer owners for more than a decade, and while it has, like all malware, changed since it debuted, ransomware has some basic properties: If a machine is infected, the code encrypts all or parts of a drive -- typically by selecting the most valuable file types, like Microsoft Word or Excel documents -- then displays a message demanding payment for the key that will decrypt the data. Increasingly, that payment is in the form of Bitcoin, the digital currency.

KeRanger wanted one Bitcoin, or approximately $412 at Monday's exchange rate.

One way to avoid paying such extortionists is by restoring the system using recent backups.

Ransomware writers now typically disable Windows' "System Restore" feature, which regularly takes snapshots of the PC, then lets the user return to that milestone, said Olson. It's less common for ransomware to explicitly target backups on Windows, however, perhaps because the operating system's integrated Backup functionality is little used and scores of alternatives vie for market share.

"Some Windows ransomware will encrypt backups as well as the main drive," said Reed, although he acknowledged the practice was not widespread.

Reed, who authors Malwarebytes Lab's official blog, TheSafeMac.com, pointed out that Time Machine backups are "infamously fragile," and it's possible that had the hackers implemented an encrypt-all-external-backups feature in KeRanger, users would have found their backups trashed, not just locked up. In that case, paying the ransom wouldn't have done any good, at least for the backups.

"As long as you're respectful of it, and using Time Machine to do restoration, you're good," said Reed. "But if you go messing with Time Machine backups with another app, you can break the whole thing, so you can't restore at all."

While there may not be much that Apple could do to prevent Time Machine backups from being encrypted by hackers -- Reed said that KeRanger would have spotted any drive "mounted" to the Mac, a task that Time Machine does in the background when it initiates a scheduled backup -- Mac users can recover a ransomware-locked system if they have multiple backups, both Olson and Reed said.

"Ideally, you should have multiple backup systems, with only one connected to your computer at one time," said Reed. "Redundancy is good."

Storing one backup offsite is also a good idea, added Olson, a tip that ensures data survivability in case of natural disaster, theft or fire.

Channel Deals

Tely HD Pro & Wireless Audiopod

ARN Distributor Directory

ARN Vendor Directory

Slideshows

​Inside the new HP Customer Welcome Centre in Sydney…

HP unveiled its new Customer Welcome Centre (CWC) in Sydney this week, following on more than a year after the vendor opened the doors of its Experience Centre in Melbourne (MEC). The new space offers on-site HP technicians and visiting channel partners the ability to reconfigure equipment and put together tailored solutions based on the needs of individual end clients or target vertical markets. The centre can also be booked by customers and partners for meetings, events, workshops, seminars, and training. Photos by HP.

Zscaler Australia toasts the channel at Xmas drinks

Zscaler recently hosted its partner update and Christmas drinks event in Australia where more than 20 partners attended the event at the QT hotel in the Sydney. The event provided a forum for the company to update its Australian partners on the company's strategy for cloud security in the year ahead. It was also a great opportunity for the company to introduce Sean Kopelke as country manager for A/NZ. The event ended with Christmas drinks and a celebration of momentum gained in 2016.

IN PICTURES: ​Nutanix X Tours

Nutanix recently held two ‘X Tours’, which brought the company’s flagship event .NEXT to Brisbane and Melbourne. Customers and partners got a firsthand look at the new era of IT and exposure to the potential of the Nutanix Enterprise Cloud platform. Both events featured key speakers both from Nutanix and its partners.

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Related Whitepapers

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.